On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: > On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > > More soft/anecdotal: > > > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > > a several second delay before the command completes. If we then exit > > the session and re-execute the command, it will complete almost > > instantly. So whatever cache is holding this information, if we > > could increase its duration, that would certainly make our pain > > less. Is this a settable value? > > > > Entering a password into a screensaver is particularly painful. 10+ > > seconds before the screensaver will exit. > > > > We are looking at environmental possibilities, like interfaces and > > such. This machine is running on a VMware VM, but we've had success > > deploying IPA on VMs in the past, and our faster network is running > > VMs as well (with one physical box). > > Can you try increasing this option: > > pam_id_timeout (integer) > For any PAM request while SSSD is online, the SSSD will attempt to > immediately update the cached identity information for the user in > order to ensure that authentication takes place with the latest > information. > > A complete PAM conversation may perform multiple PAM requests, such > as account management and session opening. This option controls (on > a per-client-application basis) how long (in seconds) we can cache > the identity information to avoid excessive round-trips to the > identity provider. > > Default: 5
I should also have explicitly said that the option belongs to the [pam] section. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
